[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

ansible (1.7.2+dfsg-2+deb8u2) request for testing


This is a request for testing of a proposed ansible update for jessie.

I have prepared an update of Ansible (version 1.7.2+dfsg-2+deb8u2) which
fixes several issues.  This is the changelog entry for the upload I have

ansible (1.7.2+dfsg-2+deb8u2) jessie-security; urgency=high

  * Non-maintainer upload by the LTS Team.
  * CVE-2015-3908: Fix potential man-in-the-middle attack associated with
    insusfficient X.509 certificate verification.  Ansible did not verify that
    the server hostname matches a domain name in the subject's Common Name (CN)
    or subjectAltName field of the X.509 certificate, which allows
    man-in-the-middle attackers to spoof SSL servers via an arbitrary valid
  * CVE-2015-6240: Fix a symlink attack that allows local users to escape a
    restricted environment (chroot or jail) via a symlink attack.
  * CVE-2018-10875: Fix potential arbitrary code execution resulting from
    reading ansible.cfg from a world-writable current working directory.  This
    condition now causes ansible to emit a warning and ignore the ansible.cfg
    in the world-writable current working directory.
  * CVE-2019-10156: Fix information disclosure through unexpected variable
    substitution. (Closes: #930065)

 -- Roberto C. Sanchez <roberto@debian.org>  Fri, 06 Sep 2019 08:01:41 -0400

I have done my best to test each individual change/fix, in particular
making use of upstream's unit tests where possible.  However, given the
scope of changes and the fact that some of the changes required a fair
amount of backporting to make them suitable for this version of Ansible,
requesting some testing prior to upload seems prudent.  The packages can
be downloaded here:


The .changes and .dsc files are signed with my key which is in the
Debian keyring.

Unless there are reports of problems with this update, I intend to
upload on Monday, 16th September.



Roberto C. Sánchez

Reply to: